California's New Privacy Rule Will Impact Financial Institutions
January 9, 2020, WatersTechnology
Michael Nonaka spoke with WatersTechnology about the impact of the California Consumer Privacy Act on financial institutions. Mr. Nonaka says, “There are exemptions [in the CCPA] for information that is covered by the GLBA. This is consumer information used by FIs, including broker-dealers. But there is not a broad exemption that just takes out the entirety of data maintained by capital markets firms. The GLBA applies to a bank or broker-dealer that is providing a financial product or service to a consumer, and the consumer has to be using that product or service for personal, family, or household purposes.” He explains that if an individual were to apply for a credit card online with a bank, the data generated by that interaction is covered by GLBA and counts as personal purposes. However, if that same person went to that same bank to take out a loan because they wanted to start a small business, the GLBA exemption would not apply and that data would be covered by the CCPA. Under the CCPA, residents of California can now demand that companies disclose what information they have on them. They can demand that the company delete that data (subject to some exemptions). And they can opt-out of the sale of their data to third parties. The definitions in the regulation are broad and prescriptive.
“You have this waterfall you have to do in order to determine that financial data in an institution’s hands is subject to the CCPA; you apply the different exemptions to the CCPA overall, and then there are exceptions to the different specific rights in the CCPA. So it becomes a very layered analysis,” he adds.
“This is a very significant development, both in terms of the specific requirements and for what it signals about what other states may do in future. It is a very prescriptive privacy framework, similar in some ways to GDPR, and it is prescriptive in a way that most US companies haven’t had to deal with,” Mr. Nonaka says.
He says other states will probably follow suit—which will compound the complexity for large organizations.
“If you think what California has done in enacting its own regime is complicated, just imagine what it would be like if 15, 25, or even 35 states move forward and enact their own version of the CCPA, and how complicated that would make privacy regulation in the US with all these competing regimes. And it just so happens to be in the most populous state in the US, so it covers a ton of people [and] it covers a ton of companies. The CCPA has become a benchmark of sorts on its own, even though it only applies to California residents.”
Back
